--------------------------------------------------------------------------- Daemon workspace ownership helpers --------------------------------------------------------------------------- requireDaemonWorkspaceAccess verifies the caller has access to the given workspace. For daemon tokens (mdt_), com
(w http.ResponseWriter, r *http.Request, workspaceID string)
| 38 | // For daemon tokens (mdt_), compares the token's workspace ID directly. |
| 39 | // For PAT/JWT fallback, verifies user membership in the workspace. |
| 40 | func (h *Handler) requireDaemonWorkspaceAccess(w http.ResponseWriter, r *http.Request, workspaceID string) bool { |
| 41 | if workspaceID == "" { |
| 42 | writeError(w, http.StatusNotFound, "not found") |
| 43 | return false |
| 44 | } |
| 45 | |
| 46 | // Daemon token: workspace must match. |
| 47 | if daemonWsID := middleware.DaemonWorkspaceIDFromContext(r.Context()); daemonWsID != "" { |
| 48 | if daemonWsID != workspaceID { |
| 49 | writeError(w, http.StatusNotFound, "not found") |
| 50 | return false |
| 51 | } |
| 52 | return true |
| 53 | } |
| 54 | |
| 55 | // PAT/JWT fallback: check membership cache before hitting DB. |
| 56 | userID := requestUserID(r) |
| 57 | if userID != "" { |
| 58 | if h.MembershipCache.Get(r.Context(), userID, workspaceID) { |
| 59 | return true |
| 60 | } |
| 61 | } |
| 62 | |
| 63 | _, ok := h.requireWorkspaceMember(w, r, workspaceID, "not found") |
| 64 | if ok && userID != "" { |
| 65 | h.MembershipCache.Set(r.Context(), userID, workspaceID) |
| 66 | } |
| 67 | return ok |
| 68 | } |
| 69 | |
| 70 | // requireDaemonRuntimeAccess looks up a runtime and verifies the caller owns its workspace. |
| 71 | // |